Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

The recent fight between ICANN with the German judiciary on what is the “legitimate interest” in ICANN collecting and making available to public the domain name registration details is an indication of the war that is going on between EU and US for economic supremacy on the global platform. EU wants to snatch away the advantage that US enjoys as a global IT player.  In this war, EU is trying to use GDPR as an instrument to make US business bow before the EU authorities. In this fight, the EU Administrators and Courts will stand with the interpretation of GDPR which favours EU. This bias is visible in the case of ICANN issue.

We must understand that ICANN already has a contract under which the registrars have obtained the license and running the commercial activity. Now GDPR is being interpreted as a superimposing law that invalidates the earlier contract. If GDPR has to be brought into domain name contracts, then the existing contracts will have to be revised or ICANN should cancel the registrar licenses of all those who fail to adhere to the contractual terms.

Already Domain Name registrations are often done under unverified e-mail addresses and are used for committing many crimes including phishing and fake news distribution. There is an urgent need to build a trust worthy internet and prevent the misuse of the liberties that enable easy registration of domain named under fake e-mail addresses or e-mails registered with service providers who are dark web constituents untouchable by the international law. Now GDPR is giving legitimacy to such dark web activities and reducing the law enforcement powers of global authorities.

If a EU Citizen books a domain name and hosts a website which is delivering content to people outside EU, then it is an activity outside the EU law making jurisdiction. There is no reason that the world should accept an anonymous registration of a website from a EU registrar. 

The objective of GDPR is protecting the Privacy Right of an EU Citizen. It cannot be an instrument of launching a Cyber War on non EU Citizens through the websites registered by EU registrars. If EU wants to have a system of domain name registrations allowing secrecy of the registrant, they are welcome to create a closed Internet system in which no information goes out of EU borders.  It can be a dark web within the current dark web which non EU countries should be able to block off.

The provision of registrant details and its preservation by registrars is an essential aspect of Cyber Security and EU authorities have displayed a blind faith in Privacy and ignored the adverse effect of the legislation if it is interpreted as it is sought to be interpreted now.

Currently the disputing registrar in EU is taking a stand that they will not collect the admin contact and technical contact details and no registrant details are to be made available under WhoIs search because such details are not required for delivering the service.

Domain Name Registration is a Commercial Activity

Registering a domain name is not a fundamental right of a person in which the Privacy right is embedded. It is a commercial decision that a person takes so that the content of the website can be used for some benefit either directly as in an E Commerce Website or indirectly through advertisement generation or brand building.

Hence when an individual books a domain name there is no fundamental right of privacy under which the domain name registrant should be allowed to hide himself and use the services. If this argument is extended, no Government should collect details of promoters and directors of a company because the personal details of the promoters and directors gets recorded and made available to a number of reasons to a number of authorities.

Hence the decision of the German Court was incorrect and there is no reason why GDPR should impinge on activities such as IP address displays on E Mails and WhoIs data in case of domain names.

In fact providing the contact details and ownership particulars of a website is a necessary disclosure under law in India. Hiding the IP address of the sender of an e-mail by email service providers such as Google is an open assistance to criminal activities. Present remedies such as contacting a relationship manager by Police through a notice is causing delay in investigations and impeding Cyber Crime prevention.

The demand of GDPR on the ICANN activities is a symptom of a larger malaise where criminals who want to hide are taking over the current transparent systems of administration and in the long run will seriously damage the law enforcement. As a result Cyber Crimes will increase, Cyber Terrorists will use EU as their base to launch attacks on the world.

Hence we should oppose the move of the German Court and demand from ICANN that all domain name registrations from EU registrars should be immediately transferred to other registrars for which a new “Domain Name Transfer Auction” can be arranged by ICANN to redistribute the domain names presently under the control of EU registrars to other registrars.

The EU registrars may exit from the business and develop an internal EU only internet system where they can introduce anonymous domain name registrations similar to the numbered Swiss Bank system. Just as the Swiss authorities benefited from the global black money, now EU can benefit from the darkweb activities which can effectively run as EU-Internet.

If we donot take a firm stand on this, gradually EU registrars may take over the business from the registrars from the rest of the world since there is a majority community who would like to hide and throw stones at others. If these masked stone pelters keep working along with the genuine domain name registrants, then there will be no value for honest web operators.

Remedy in India

While there is an economic fight going on between US and EU which is using GDPR as a weapon, India is being caught in the cross fire since a good part of Indian IT business provides services to US companies who in turn provide services to EU. Indian companies also have a part of their business with EU directly. Under both categories, GDPR is trying to impose itself as if it is the law applicable in India.

There is also the impending Indian Data Protection Act (IDPA) and the pressure of the Aadhaar related demands on Privacy protection which is clouding the judgement of many experts.

Media as usual does not understand the real issues and is only interested in TRP based reporting.

If therefore IDPA becomes a replica of GDPR like what UK has shamelessly done in drafting UK DPA, there will be many in the media patting Justice Srikrishna and his team to say “Wow, India is as great as EU in drafting Privacy law” .

But the law makers should put the interest of the country ahead of the temporary headlines in news papers that may praise them while drafting the Indian DPA.

Some time back there was discussion in India that websites have to be registered with the Government. Now to move into the GDPR suggested regime of “Anonymously registered domain names” is a step which would be a significant departure from the earlier thinking.

The Ministry of Home Affairs, in the Central Government is responsible for maintenance of Law and Order in the country along with the State Governments. It is clear that Cyber Crimes is a matter of increasing concern to the MHO not only because there is an increasing digital push to the commercial activities but also because the mis-application of certain laws such as privacy laws.

I urge the MHO to be aggressive and take up with the Justice Srikrishna Committee that under no circumstance, Cyber Security should be compromised in drafting the Privacy Law. The Supreme Court should also take a stand in the interest of the security of the county rather than a misplaced importance on anonymous Cyber transactions for protecting Privacy.

I am sure there are enough experts in India who are so committed to Privacy that they would not mind “Masked cyber stone pelters” being protected  in the garb of human rights while those who get hit are not considered to having any human rights. They would all hail GDPR and push Indian authorities to adopt a “Cyber Criminal Friendly Indian Data Protection Act”.

But I fondly hope that Justice Srikrishna would resist such pressure and suggest a law that is fair on honest people and donot err on the unsafe side.

Naavi

GDPR has changed the landscape of Cyber Laws by redefining the priorities of Cyber Laws. So far the concern of the society was mostly on “Preventing Damage to a Citizen” through Cyber Crime laws. This was achieved by defining certain actions as “Contraventions” and/or “Offences” and imposing a “Civil Liability to pay compensation” or treat it as a “Criminal Offence” in which the perpetrator of the crime will “Pay penalty to the Government and face imprisonment”.

“Unauthorized Access” to data was therefore considered as a Cyber Crime and if the person who caused a wrongful loss through an act which contravened the law was asked to pay compensation for which the victim had to prove the extent of damage suffered. If the unauthorized access was intentional and had a “Malicious intent”, it was considered as a “Crime punishable with imprisonment and fine”. Criminal action was a state action and intended to be a deterrent. Civil action was meant to recover the loss suffered by the victim.

When unauthorized access was accompanied by “Data Theft”, “Data Deletion”, “Data Modification”, “Impersonation”, “Cheating”, “Profit making” etc, the crime was considered a higher order crime and the punishment could be harsher. But the civil damages always were based on the actual loss suffered by the victim which he was supposed to prove during the trial.

The Cyber Crime laws focused on providing deterrent punishments that were commensurate with the gravity of the crime and easy grievance redressal procedures through fast court systems, simplified procedures etc.

India provided such measures through ITA 2000 in which “Adjudication” was provided as a fast Court system to compensate the victims of cyber crimes. ITA 2000 was a representative of the first generation of Cyber Crime laws where the target was to provide protection to a victim of Cyber Crime.

Out of necessity, the first generation Cyber Crime laws did address the responsibilities of an “Intermediary” and need for the intermediary to take suitable “Due Diligence” steps to make it harder for criminals to benefit and if they do, provide suitable evidence to the law enforcement to bring the culprits to book. Section 85 and Section 79 in ITA 2000 were meant for this purpose.

In the second generation of Cyber Crime laws represented by ITA 2008 (Amended version of ITA 2000) apart from defining more Cyber Crimes, were fundamentally different from ITA 2000 since there was a greater emphasis on the role of “Information/Cyber Security”. For example, ITA 2008 introduced data protection clauses such as Sections 43A and 72A providing civil and criminal penalties if “Personal/Sensitive personal data” is not protected adequately by a data processor, which term included the Data Controller or Data Consumer or a Data Collecting agent. There were also Data Retention provisions under Section 67C, Regulatory powers to different authorities under Sections 69, 69A ,69B and 70B which represented the requirements of national security and law enforcement requirements.

ITA 2008 was stringent enough in terms of “Non Compliance” but the penalties were not in the form of huge financial penalties that the regulator would collect but in the form of huge imprisonment terms that the act provided for.

GDPR and UK DPA 2018 represent the third generation of Cyber Laws where more than the crime itself, prevention is considered as a greater responsibility and intermediaries will be subject to penalties that could be crippling.

GDPR raises a concern about the power of a “Supervisory Authority” to pursue penalties arising out of non compliance to the extent of 4% of Global turnover of an undertaking which has no relation to the actual damage that the data subjects might have suffered due to the non compliance.

ITA 2008 on the other hand has upto 7 years punishments in the case of Sections 69 and 69A, 3 years under Section 69B and 1 year under 70B. The penalties were in the range of upto Rs 1 lakh or left unstated.

Though the criminal punishments under ITA 2008 are huge, the Courts would evaluate the crime and arrive at the actual punishments both in terms of the imprisonment and the fine. Indian Courts provide enough opportunity for the accused to seek justice based on the actual facts of a case.

However, GDPR has now placed a power to impose a billion dollar fine on an executive and even in cases in which the non compliance can be technical and may not result in significant damage to the citizens whose privacy right is what the act tries to protect.

It appears as if the “Non Compliance” of a regulatory provision is a greater offence than an actual Cyber Crime in which some body is cheated of a million dollar.

This is a wrong prioritization in the justice system where the “Failure to implement Crime prevention” is considered a bigger crime than what the “Criminal” has committed.

An example is to impose an imprisonment of life term to a Security guard who forgot to lock the gates of the godown from which the thief stole some valuables while the thief himself is punishable for an imprisonment of two or three years.

EU authorities may justify their action by stating that the penalty provision in EU is just an enabling provision and would not be imposed in a manner that is unfair.

But there was no need to place such a stringent provision without any checks and balance?. It would have been better to leave the larger amount of penalty to the Courts instead of the executive. GDPR has failed in this regard to have a fair legislation.

We may recall that ITA 2008 has placed a Rs 5 crore cap on the power of the Adjudicator and left the higher penalties to the discretion of the Courts. But EU did not provide for such checks and balances before indicating a threatening level of penalties.

It appears that the Regulators have started considering the penalty provisions as an opportunity for “Profiteering” rather than as a deterrent.

This could well be the tendency of the new generation of Privacy Protection Laws which are actually one part of Cyber Crime laws applicable only to the mis-use of one type of data called “Personal data”. Every data theft is also a cyber crime and there is already a legal penalty for the same. The administrative fines are just one of the penalties that may be imposed on an intermediary in respect of a Cyber Crime and should not ideally be more damaging than the punishments meant for the cyber crimes.

Let’s forget the European Laws since EU is unmindful of the damage they are doing to their own business fabric through such crazy penalties. India is now considering its own Data Protection Law which Justice Srikrishna is in charge of drafting.

We need to watch and see whether Justice Srikrishna Committee would be falling into the trap set by GDPR and the UK DPA 2018 and make data protection legislation over power the Cyber crime laws or keep it as a subordinate law to the Cyber Crime law as it should normally be.

Many suggestions have been made to the Committee in this regard and we need to watch the developments so that India can show to the world of how to frame data protection laws which are fair to all stake holders.

India should also remember that GDPR is a terrorist friendly and Criminal friendly regulation and India cannot afford to toe its line. Hence Right of Erasure must be avoided and Right to restriction and correction should be moderated with appropriate data retention protections. These are required in the interest of national security which GDPR has ignored but we cannot.

Naavi

 

The earlier article on GDPR entry into India being like a Vasco Da Gama discovery of India, has attracted some interesting reactions from some industry professionals.

While we may accept that the intention of GDPR is to protect the Privacy of natural persons and therefore there are “Data Subject’s Rights” including “Right to Erasure”, “Right to Access”, “Right to Data Portability”, “Right to Restrict processing”, “Right to Correct” etc., we must point out that any attempt to impose the regulation unilaterally on Indian Citizens is to be resisted because it is a question of the sovereignty of the Country.

I consider that GDPR has provisions which recognizes that other countries including the EU member countries may have over-riding provisions in their national interests, it is the intermediary analysts who are confused and spreading a message that GDPR is applicable to all companies and to citizens of all countries etc.

We need to therefore fight against the “Self Subjugation Mentality” of some consultants to give a larger than life importance to the EU legislation.

While laws can have extra territorial jurisdiction built into it as an “Enablement”, its implementation is subject to the acceptance of the other international Governments by way of a treaty.

Hence as long as there is no specific treaty between India and EU to implement GDPR, Indian Companies are not directly liable under GDPR.

However, ITA 2008 is a local law. DISHA 2018 would be another law of India and Data Protection Act of India when passed (Justice Srikrishna Law) would be a law of India which needs to be implemented in India.

At the present juncture, the GDPR provisions can be extended to Indian Data Processors only through the Data Processing Contracts that are signed between the Indian Data Processors and their international business partners. When Indian companies sign on blank indemnity provisions without  an upper limit to the liability, they would be confronted with contractual disputes in due course if there is any claim by the international partners. Additionally, under the provisions of GDPR, Data controllers are empowered to literally extract the trade secrets of the data processors and if the Data Processors donot realize and resist, they will be subject to business secret disclosures and searching technology audits by external agencies which will hurt the business interests in the long run.

Further many of the provisions of GDPR are simply un-implementable since they are not conceived correctly though some provisions to by-pass the un-implementatble provisions is built-in. However, when there is a conflict, EU Supervisors and Courts may take a partisan view against Non Resident Companies and disallow any attempt to use special provisions that may look like an attempt to bypass the popular perception of a privacy protection provision.

In such a situation, I would have expected industry bodies such as NASSCOM and DSCI to have come up with proper guidance to the Indian Companies particularly the SMEs in the Data Processing segment.

However, by organizing a “Welcome GDPR” event in Delhi on 25th May 2018, the Government of India has indicated that it may fail to show the required concern for the welfare of the Indian Data Processors particularly in the SME sector who donot have a voice in NASSCOM or DSCI.

There is a possibility however remote it is that GDPR will be used by EU based businesses to squeeze the sweat out of Indian processors without commensurate reward. One notice from the business partner to show cause why they should not invoke an indemnity provision in the contract would render an Indian processor succumb to any pressure to reduce the price to levels where data processing for EU data will no longer be sustainable.

Slowly, EU will impose its own Certification bodies and Approved Codes which Indian processors will be forced to buy and adopt and Indian Data Processing industry will be subjugated into a Data processing colony of EU.

US will be in a similar situation but will because of its economic muscle, wriggle out of the vice  grip of the EU GDPR through a new version of Safe harbor or Privacy Shield or Standard Contract clauses supported by the strong US Courts.

But in India we are unlikely to have similar support from the Government and the current industry associations. The only saviour I see is in Justice Srikrishna Law where some provisions can be incorporated which will not allow such international hagemony. Hence my earnest appeal to the Srikrishna Committee. I am aware that the committee is dependent again on DSCI and NASSCOM for advice but Mr Srikrishna should have an independent mind of his own and can see through any attempt to dilute the soverign rights of India in resisting the attempt of international regulations undermining the freedom of existence of Indian companies through unfair legislation and unfair implementation.

It is in this context that I urge the SMEs in the Data Processing Industry in India to secure their interests by forming their own association and develop a collective strength to be heard in India and abroad.

In case Justice Srikrishna Committee does not propose the necessary protective measures within the legislation, it would be necessary for the association to seek changes. Instead of waiting for the draft to be released before crying injustice, it is preferable that the industry moves now and before the imposition of GDPR on 25th May 2018, develop a collective strategy to ensure that the Indian Data Processing Industry is not unduly harassed. The Association should move towards developing its own “Privacy Protection Codes” for implementation in the Data processing environment for Indian Citizens and Non Indian Citizens and show to the world that India can respect Democratic norms without challenging the sovereignty of another country like what GDPR proposes to do.

If we donot act now, India will face self destruction of the Data Processing business segment in India and it will be happen with the help and assistance of many Indian industry establishments and associations who may think that they are globalizing the Indian data processing industry and cornering business opportunities.

I Request Justice Srikrishna as well as Mr Ravi Shankar Prasad to respond to the concerns expressed here and assure the citizens of India that their interests would not be undermined.

Naavi


We have many times through these columns urged the Justice Srikrishna Committee which is drafting the new Data Protection law for India to ensure that an “Umbrella Protection” is provided to Indian Companies from being unfairly targeted under EU GDPR by EU Companies and EU data protection regime.

As we approach the D-Day, 25th May 2018 when GDPR will become operational, many companies in India are getting into a panic mode on the impact of GDPR on their business.  The indications are that the companies think GDPR applies to all their activities and this is leading them to believe that they need to take many actions which they are not bound to do. Partly this panic is being induced by US companies who engage Indian Data Processors for part of their processing activities. In the process many of the Indian companies are revising their business contracts to meet the GDPR requirements as they perceive endangering their own and the country’s business interests.

These contracts typically contain indemnity obligations  which includes compensation payable for any loss caused to the vendor. Since this is likely to include the administrative fines under GDPR, Indian companies may be forced to underwrite the GDPR obligations of international companies though their revenue share is only a part of the entire industry revenues.

There is a national interest involved in ensuring that unfair and unconscionable liabilities are not introduced into the data processing contracts that Indian Companies are forced to enter into.

These contracts are “Dotted Line Contracts” and need to be fairly constructed. However, in practice, it is difficult to expect Indian companies to resist the signing of such contracts because of the business relationship considerations.

It is therefore necessary that Indian legislation provides a protection to such companies in the national interest.

One option available to us is that we are about to draft our own Data Protection laws and this will provide an opportunity to define a grievance redressal mechanism by which it should be made mandatory for international contracts for data protection to be pre-approved by the Indian Data Protection Authority without which no liability may be imposed on Indian entities.

GDPR itself recognizes that some of the member states may not permit imposition of administrative fines and has suggested that suitable alternate measures may be provided in the member state laws. [Refer Article 83(9)]. 

Indian Data Protection Act should also incorporate equivalent protection so that any payment of fines under GDPR data processing contracts shall be considered void unless it is approved by the Indian law.

Though the GDPR should be interpreted as a law applicable for “Activities in EU”, there is an attempt to interpret it as a “Global Law” and let EU determine the law for other sovereign countries. I am not sure if EU is really that arrogant to assume that in the 21st century, other countries will tolerate the EU legislate the activities that take place outside the EU even if the intention is laudable. But many in India are more loyal than the king and when required to bend are happy to crawl. This tendency should be resisted.

Though Article 2(2) clearly admits that

“this regulation does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law”

many analysts are interpreting as if under Article 3(2), Controllers and Processors not established in EU are also subject to the regulations without any restrictions.

Some non EU companies are falling into the trap of Article 24(3) and thinking that they need to appoint representatives in the EU without recognizing that the act of appointing a representative itself brings them under the EU jurisdiction even if otherwise they are not.

Indian Companies need to avoid voluntarily jumping into the jurisdiction of EU and dragging liabilities which EU law making body has no authority to make.

(Refer article here where the GDPR scope is discussed in detail by one analyst…. very informative and indicative of the perceptions of the global community)

Welcoming the Vasco Da Gama

Unfortunately, it appears that there is no adequate attempt made by NASSCOM or DSCI in advising the Indian Companies properly to ensure that their interests are protected.

On 25th May 2018, there is a high profile event organized in New Delhi as if Indian wants to celebrate the GDPR. EU commission representatives are expected to participate in this along with DSCI, NASSCOM and Government officials.

Even Justice Srikrishna is likely to attend this event and speak.

As a result of the participation of NASSCOM, DSCI, and Justice Srikrishna, it would appear as if India is endorsing GDPR.

To me this appears to be similar to Indians who welcomed Vasco Da Gama to India without realizing that it was the beginning of the colonial rule which extended for centuries there after with all kinds of economic pirates entering India including the French and the British.

Now, a similar danger seems to be in front of us in the form of GDPR. Indian companies need to be protected against unfair incidence of GDPR and prevent this being used for building an economic colony in India by EU companies.

Even if at present GDPR appears to be only a Privacy protection legislation and a good “Standard” which can be adopted as an industry practice, we must realize that adoption of GDPR will be followed by GDPR Codes and Certifications approved by the Supervisory authorities of EU countries.

These GDPR Certification process will replace ISO standards and create a huge business potential for GDPR related security services and products.

I must disclose that I could be one of the beneficiaries of such a development since I may  be providing consultancy and educational programs in the area and also is working on a patent pending software which should help Indian companies in compliance. However, in the interest of the community, it is necessary to raise a red flag against GDPR turning out to be an instrument of exploitation of Indian Business interests.

I request that EU should refrain from projecting itself as the Privacy saviour of the world community and avoid going overboard with the “Extra Territorial Jurisdiction” of its laws. If they desire to use GDPR for expanding their business network, then they need to enter into a Business treaty with Indian Government ensuring that there is a fair exchange of mutual benefits.

Since it appears that our IT Ministry might not have realized what Indian data processing industry is walking into in the guise of GDPR, I urge Justice Srikrishna to step in and introduce suitable provisions in the proposed Data Protection Act so that our national interests are not undermined with the application of GDPR directly or indirectly to the IT operations in India.

Naavi

Also ReferData Protection Law should provide a Jurisdictional umbrella

As we enter the final stages of public consultation on the drafting of the new Data Protection Act of India following the release of the White Paper by the Justice Srikrishna Committee, one aspect of the law that needs attention is the “Right to Know” of an individual which often conflicts with the” Right to Privacy” of another individual.

Right To Know is a different concept

“Right to Know”  is a concept that GDPR also has ignored and there is an opportunity for India to introduce this concept into the discussions of Privacy.

Let me explain with an example why this concept is different from other known concepts including “Right to Information”.

When some body calls us on a phone, the first question we would like to know is “Who is calling?”. If the other person says, sorry, I value my privacy and would not like to reveal my identity or I would like to talk  under a pseudonomous name, the question arises as to whether this is a valid Privacy argument or not.

Similarly, when I receive an e-mail from some body who says he is Jignesh420@gmail.com, I have the right to know whether he is really somebody I know or not. I donot trust the display name since I know that Google does not do a KYC before allocating the user name. I therefore donot know if the e-mail is a “Spam”, is an attempt to “Impersonate” or is an attempt to commit a fraud on me. If I want to know more about the person, I need to know his IP address.

However, Google in its misdirected concept of Privacy hides the IP address with a proxy address from Google which cannot be deciphered without the intervention of law and takes too much of time and effort and often bribing of the law enforcement personnel just to send a notice to Gmail administration.

I therefore ask a question to the law makers,

Do I not have a right to know the true IP address of the person who has sent me an e-mail?

If Privacy activists want the IP address to be hidden in the email while it is in transit, I demand that Google should introduce a procedure by which every recipient of an e-mail should be able to raise a one click query to know the IP address from which an E-Mail has been sent to him and Google should automatically provide the information.

Similarly, any ISP should also provide the last mile resolution of the IP address to any person who can prove that he has been in receipt of a communication from such IP address.

This is what I consider as the “Right to Know” and it extends to the Facebook and Twitter accounts as well as social media such as the Whats App.

If “Right to Know” is upheld as a Right of an individual, it does not conflict with the right to privacy of an individual except that such right stops at the door steps of the rights of the receiver of a communication. On the other hand it provides a new right to the recipient of an electronic communication just like the “Right to Speech” co-exists with the Right of Privacy in law.

This “Right to Know the IP address” extends to other instances such as

a) Right to Know the identity of a Domain Name Registrant

b) Right to know the identity of the owner of a Telephone number or Mobile Number from which the recipient has received at least one call or is reasonably suspected to have been used for the commission of an offence.

…. and may be for other instances as well to be  defined just like the multiple parameters we may use for classifying “Sensitive Personal Information” under the law.

Aadhaar has recently introduced a link on its site to provide information on Aadhaar usage history of a person which is a great measure towards transparency. But the information provided is on the basis of a transaction code that cannot make any sense to the Aadhaar user. It has to provide the name of the entity that made the query either directly on the website itself or through a link for which there can be a second OTP authentication. This falls under the “Right to Know”.

The procedure for extracting the information in the above cases must be simple and nothing more than

a) Identification of the person who is making the request with something like the digital signature or Aadhaar

b) Statement of the suspected contravention of law or proof of being a recipient of an attempted communication

c) A commitment not to misuse the information for any purpose other than the stated purpose with an undertaking to be liable for consequences of misuse

I request Justice Srikrishna Committee to consider this suggestion and incorporate it into its recommendations.

(Comments Invited)

Naavi

(This is a continuation of the previous article)

2. One of the questions that arose during the discussions was on the “Data Breach Notification requirements” under the proposed act.

There was one concern of the industry that “Data Breach” reporting to the data subjects should not be mandated and even if required it should not be as immediate as notification to some industry authority etc.

This is a standard response from industry whenever data breach notification is suggested in any data protection act. Industry wants to protect its reputation by sweeping the data breach notification under the carpet. While most industry players would jump at Aadhaar leakage when reported, they would not like a breach in a Bank coming out in the open. Hence the demand that they should be exempted from notification of data breach to their customers.

Some industry players also brought out the issue of a need for time to determine whether a “Suspected data breach” is actually a “Data breach”, whether a “Data breach” is not exactly a data breach but only a “Denial of Service attack” etc and argued that industry should not be forced to report a data breach before it is confirmed.

However the industry agrees that most data breaches need to be confirmed with an audit  and many times the recognition of data breach itself takes months and after the recognition, the completion of the internal audit takes several more months. If therefore the industry demand in this respect is to be accepted, then data breach will never become public for more than an year.

Industry is however not averse to sharing some potential breach information with an industry organisation because they know that the industry organziation can be manipulated and hide the information of the data breach. For example, many wannacry attacks on ATMs of Banks were never reported by Banks and public never came to know of them. Even a major cyber attack on a Bank after the Swift system hacking in Bangladesh, was pushed under the carpet. Given an option even the UIDAI would like not to publicise the data breach reports on UIDAI because it hurts the reputation of the system.

The strong opposition to data breach notification to the data subjects itself indicates that it is a very effective deterrent that industry would not ignore. Hence it is absolutely essential that this data breach notification must be incorporated in the law as a mandate. The time limit in other international regulations is around 30 to 60 days and it would be necessary to make a provision for “Public Notification”  before 30 days.

In case there is difficulty in confirming the data breach because of the need for an audit etc.,  the notice can say that the investigation is under progress and the notice is a “Provisional Notice”.

Some persons also raised the issue of “Cost of Data breach notification” to the data subjects. The notification can be made

a) Through advertisement

b) Through notice in the website of the Data Controller

c) Through a notification in the Data Protection Authority website

c) Through e-mail

In order to further reduce the cost of “Advertisement”, a suggestion was made that  to the effect that Data Protection Authority can create a broadcast platform.  A mention can however be made that such services are already available at www.cyber-notice.com along with Section 65B certification. Industry is yet to recognize the potential of the service and perhaps a need for mandatory data breach notification would make the industry realize the need for such services. 

(Will be continued)

Naavi

Links to all the three parts of this report of the consultation are available here

Part I

 Part II

Part III